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Abstract 

We propose an extension of minimal intuitionistic predicate logic, based on delimited 
control operators, that can derive the predicate-logic version of the Double-negation 
Shift schema, while preserving the disjunction and existence properties. 
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1. Introduction 



In 12211 . Hugo Herbelin showed that, by extending the proof-term calculus of intu- 
itionistic predicate logic with a restricted form of delimited control operators, one can 
obtain a logical system able to derive a predicate-logic version of Markov's Principle, 
-i-i3xA(x) => 3xA(x) (for A(x) a {=>, V}-free formula), while remaining essentially 
intuitionistic - satisfying the disjunction and existence properties. 

Separately, 12111 he also observed that using the full power of delimited control op- 
erators one can derive the predicate-logic version of the Double-negation Shift schema, 
Vx-i-iA(x) => -i-iVxA(x) (where A(x) is arbitrary), and posed the question whether 
there is a corresponding logical system which also posseses the disjunction and exis- 
tence properties. With this article, we answer Herbelin's question in the affirmative. 

Delimited control operators have appeared in Theoretical Computer Science, in Se- 
mantics of Programming Languages, as a powerful abstraction to account for so-called 
computational effects. While being pervasive in the practise of writing computer pro- 
grams (for, they include facilities as basic as reading from and writing into memory, 
stopping the execution of the program, or parallel computation), giving a good mathe- 
matical explanation of effects is still one of the major research topics in Semantics. 

An important step in that direction was a result of Filinski fl!3l who showed 
that every monadic computational effect can be operationally simulated by the delim- 
ited control operators shift/reset, introduced previously by himself and Danvy SEE 
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However, the logical status of shift/reset themselves, and other such operators in gen- 
eral, remains to be fully established, something we hope to being contributing to with 
this article. 

Another interest in delimited control operators, and actually our original interest in 
them, comes from the role they promise to be playing in a future constructive proof of 
completeness of full intuitionistic logic (with V and 3) with respect to Kripke seman- 
tics, something described in Il25ll24ll . 

We illustrate the utility of delimited control operators, by considering some exam- 
ples in a /1-calculus extended with them, containing also natural numbers with the plus 
operation. The extension consists of two constructs, a delimiter (# - "reset") and a 
control operator (S - "shift"). The delimiter is used as a special kind of brackets in a 
/1-term, so that the control operator, which can only appear inside such "brackets", be 
able to gain control of its surrounding context, up to the delimiter. For example, in the 
following /l-term reduction, 

1 + #2 + SkA -> 1 + #4{(Aa.#2 + a)/k} = 1 + #4 -> 1+4^5, 

reset is used to delimit the sub-term 2 + SkA. Shift then behaves as a binder, alike 
/1-abstraction, that names the abstracted surroundings of shift, 2 + □, by k, and replaces 
in its sub-expression, 4, all occurrences of k by the abstracted surroundings. In this 
case, k is not used inside shift - this corresponds to the so-called "exceptions" effect 
that Herbelin found out to be the computational contents behind Markov's Principle. 
In the next example, k is used; the sub-term inside shift uses its surrounding context 
twice: 

1 + #2 + Sk.kA + k8 
->1 + #(Aa.#2 + a)4 + {Aa.#2 + a)8 
+#(#6) + (#10) 
-> + l +#6 + 10 
-> + 17 

From the logical perspective, considering natural deduction formalisms which can 
be isomorphically presented by proof-/}-terms, we see delimited control, when added 
to the syntax of such proof terms, as a means of being able to access a certain part 
of the surroundings of a proof term from inside the proof term itself0 The part of the 
surrounding that we want to be able to access will be defined as a "pure evaluation 
context" in Section |2j logically, it is the surroundings of a proof term for a {=>, V}- 
free formulaJl which is the predicate logic equivalent of arithmetic Ej'-formulae, for 



2 This is to be contrasted to what happens with the (undelimited) control operator call/cc, which is better 
known in Logic for its role in the development of classical realisability 1 20, 31, 32, 33] - call/cc amounts 
computationally to aborting the entire computation and, since its effect is not delimited, one has no hope of 
getting a natural computational interpretation from classical realisability: a realiser of an existential statement 
needs not be a program which computes a witness for the existential quantifier. 

3 Following Berger |8], we call the {=>, V)-free formulae, ^-formulae, and denote them by S, T, U, while 
general formulae are denoted by A, B, C. 
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which we know that classical and intuitionistic provability coincide. In other words, 
we propose a proof-term calculus for a logic which is essentially intuitionistic, except 
that at the fragment "Sj" we are allowed to use classical reasoning to obtain more 
(succinct) proofs. 

The paper is organised as follows. In the next Section|2] we introduce our system 
MQC + . The acronym comes from Troelstra: IQC is intuitionistic predicate logic, MQC 
is minimal predicate logic (IQC without the ±e rule), and CQC is classical predicate 
logic. In Section[3] we characterise the relationship between MQC + , MQC, and CQC; 
in particular, we show that an extension to predicate logic of Glivenko's Theorem holds 
for our system, unlike for MQC. In Section |4] we prove properties of the reduction 
relation on proof terms, from which we obtain the Disjunction and Existence Property 
for closed derivations of MQC + . In the final Section [5] we discuss related and future 
work. 

2. The system MQC + 

The natural deduction system of MQC + is shown in TableQ] It consists of the proof 
rules of minimal intuitionistic predicate logic MQC, plus two new ones, "shift" {S) and 
"reset" (#). 

The turnstile symbol "h" can carry an annotation - a ^-formula T - which is neither 
used nor changed by the intuitionistic rules. We use the wild-card symbol o for this 
purpose, to mean that there either is an annotating formula T, or that there is none. In 
the proof rules where the wild-card appears both above and below the line, it means that 
either there is the same annotation both above and below, or that there is no annotation 
above and no annotation below. 

The rule (#) can only be applied when the conclusion is a E-formula T. It acts as a 
delimiter in the proof tree, (re-)initialising the annotation with the formula T; from that 
point upwards in the tree, classical reasoning is allowed - but, only so because we are 
ultimately proving a Z-formula. The rule (S) can then be used, inside a sub-tree with 
(#) at its root, as a kind of (->->£) rule. Its role is to "escape" to the nearest enclosing 
delimiter once a witness for the E-formula from the annotation has been found. 

However, note that, although there can be arbitrarily many uses of the (#) and (S) 
rules in a derivation tree, only one formula T is allowed to appear in annotations, glob- 
ally, of a derivation tree. This means that the global T is set once and for all, hence it 
is not possible to mix derivations using different T and T . Were we in IQC, a natural 
choice for the global T would have been _L. 

As examples, we give the derivations for (generalisations of) the minimal-predicate- 
logic version^ of Markov's Principle, 

(T => 5) => «S => T) => T) => S, (MP r ) 

and Double-negation Shift, 

Vx((A(x) => T) => T) => (VxA(jt) => T) => T, (DNS r ) 



4 The distinguished formula T plays the role of X and the hypothesis T S plays the role of the ±e rule- 
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A6r Ax 



Th A 



Th Ai Th A 2 , r h« A| A A 2 AI . 

A / ^ — ; A £ 



r h. A; a a 2 " rh.Ai 



ri-.A,- r h. A; v A2 r,A!h c r,A 2 h c v 

v / 7= ^ v £ 



rh,AiVA 2 ' Th C 



r,Aih A 2 ^ rh Ai=>A 2 Th Ai 



r h Aj => a 2 r h a 2 



r u A(x) x-fresh T h<, VxA(x) 

■ V/ = T-TT V£ 



r k VxA(x) r h A(o 



rh o A(0 Ti- 3xA(x) r,A(x)h<>C x-fresh 

■ 3/ — — 3 E 



r h 3xA(x) r h c 



("reset") r ' A r r : r7 >S ("shift") 



r ho t v ' r \- T a 



Table 1: Natural deduction system of MQC + 
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where, according to the already set convention, T and 5 are E-formulae, while A(x) is 
a general one. 



H 5 T 



Ax 



h s (S => r) =» r 



■ Ax 



# 



r => 5,(5 => r) => r n 5 
r => 5 h ((5 => r) ^> r) => 5 
h (r 5 5) 5 ((5 => T) => T) => 5 



,5 5 
■ ,5 h 5 T 
■ h s 5 => T 



Ax 



,Vx((A(x) => T) => T),A(x) => T hr r 



I- V^A(x) 



Ax 



, Vx((A(x) => r) => T) h r A(x) 



■Vb, 
5 



Ax 



, Vx((A(x) => 7") => T) h r VjcA(x) 



V;, x-fresh 



VxA(x) => 7\ Vx((A(x) => T) => r) h r T 

MxA{x) r, Vx ((A(x) => r) => r) h r * 
Vjc((A(x) ^ r) => r) h (VxA(x) ^ r) => r 
h Vx ((A(jc) => r> => r) => (VjcA(x) => r) => r 



We now define a calculus of proof-term annotations for the natural deduction sys- 
tem of MQC + , a version of simply typed /l-calculus with constants for handling all 
logical connectives and the delimited control operators, and then a reduction system 
for proof terms; the idea is that reducing a proof term describes the process of normal- 
ising a natural deduction derivation. 

The definitions are based on standard treatments of Logic as /l-calculus (see, for 
example, 04110 . and standard treatment of /l-calculus with shift/reset from Semantics of 
Programming Languages (for example, yfl). 

2.1 Definition. The set of proof terms is defined by the following inductive definition, 

p,q ::= a\Lip\ i 2 p | case p of (ai.qi\\a 2 .q2) I (p,q) I n x p I ^2P I Aa.p I pq I 

Ax.p | pt | (/, p) | dest p as (x.a) in q \ #p | Sk.p 

where a,b,k,l denote hypothesis variables, x, y, z denote quantifier variables, and t , u, v 
denote quantifier terms (individuals); hence, Aa.p is a constructor for implication, while 
Ax.p is a constructor for universal quantification; (p, q) is a constructor for conjunction 
while (f, p) is a constructor for existential quantification, and pq is a destructor for 
implication while pt is a destructor for universal quantification. 

2.2 Remark. The S in Sk.p is a binder, it binds k in p just as A binds a in q in a lambda 
abstraction Aa.q. Following standard terminology, we sometimes call k a continuation 
variable. 
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(a : A) g T 

-= -— Ax 

T h a : A 



Ty-„p:A x Y h q : A 2 T\- p:A l AA 2 

A l — a A £ 



r h (p, q) : Ai A A 2 T h<, 7r,/j : A ; 

T h /? : A ; 



V, 

rh i ( p:A] VA 2 ' 

T h /? : Ai V A 2 r, «i : Ai h gi : C T,a 2 : A 2 \- l> q 2 :C 
r h« case p of (fli.^i||fl 2 .^2) : C 



v £ 



T, a : Ai ho /? : A2 T h /? : Ai => A2 r h g : A] 
"^z ^ ; 



T h /ia./? : Ai => A2 r ho pq : A 2 



r h p : A(x) x-fresh T h« /? : VxA(x) 

■ V; — V £ 



r ho Ax.p : VxA(x) r ho pt : A(t) 

r ho p : A(f) 



3/ 



r ho (t,p) : 3xA(x) 

r ho p : 3xA(x) F, a : A(x) h g : C x-fresh 
r ho dest p as (x.a) \nq:C 



E 



T\- T p:T T,k:A^T\- T p:T 

■# ("reset") — A S ("shift") 



r ho #p : T r h T Sk.p : A 



Table 2: Proof term annotation for the natural deduction system of MQC + 
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2.3 Definition. The subset of proof terms known as values is defined by: 



V ::= a \ i{V \ i 2 V \ (V, V) \ (t, V) \ Aa.p \ Ax.p 



2.4 Definition. The set of pure evaluation contexts, a subset of all proof terms with 
one placeholder or "hole", is defined by: 

P ::= [ ] | case P of (a1.p1lla2-.P2) I n \P I I dest P as (x.a) in p \ 

Pq I (Aa.q)P \ Pt | t,P | l 2 P \ (P,p) | (V,P) \ (t,P) 

The association of proof terms to natural deduction derivations is given in Table [2] 
P[p] denotes the proof term obtained from P by replacing its placeholder [ ] with the 
proof term p. 

In order to define a reduction relation on proof terms we also need the notion of 
(non-pure) evaluation context. 

2.5 Definition. The set of evaluation contexts is given by the following inductive defi- 
nition: 

E ::=[] I case E of (fl1.p1lki2-.P2) I n\E | n 2 E \ dest E as (x.a) in p \ 



The set of evaluation contexts is larger than the set of pure evaluation contexts, 
because it includes #. As before, E[p] denotes the proof term obtained from E by 
replacing its placeholder [ ] with the proof term p. 

2.6 Definition. The reduction relation on proof terms "— ►" is defined by the following 
rewrite rules: 

(Aa.p)V —> p{V/a] case i;V of (fli.pi||a2-P2) -> p/{V/a,} 



The last rule is known as the "congruent closure" of the preceding rules. The rule for S 
applies only when the evaluation context P is pure. The reduction strategy determined 
by the rules is standard call-by-value reduction. 114011 

2. 7 Example. The following are the proof terms corresponding to the derivation trees 
for MP r and DNS 7- from page [3] 



Remark that the proof term for MP^ does not make use of the continuation variable k, 
but only uses the S operator to pass the value b, once it has been found in the course of 
the computation, back to the control delimiter #. 



Eq I (Aa.q)E | Et | nE | i 2 E | (E, p) \ (V, E) \ (f, E) \ #E 



(Ax.p)t — > p{t/x] 

7Ti(Vl,V 2 )^ Vi 

#V -> V 



dest (f, V) as (x.a) in p -> p{t/x}{V/a} 

#P[Sk.p] -> #p {(Aa.#P[a]) /k] 
E[p] — » E[p'] when p —* p' 



Ae.Aa.#e(a(Ab.Sk.b)) 



Aa.Ab Mb(Ax.Sk.axk) 
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3. Relationship to MQC and CQC 



To connect provability in MQC + with provability in MQC and CQC, we use the 
following double-negation translation. 

3.1 Definition. The superscript translation A T of a formula A with respect to a S- 
formula T is defined via the subscript translation Aj, which is in turn defined by recur- 
sion on the structure of A: 



A' :=(A 3 



T) 



A T 
(ADB) t 
(A => B) T 
(3A) T 
(VA) r 



=A 

-A T DB T 



if A is atomic 
for □ = V, A 



-A T = 

=3A T 

=VA r 



B 1 



We write Ft for the translation (-)j applied to each formula of the context F individu- 
ally. 

This translation is the standard call -by-value CPS translation of types [40], and 
is similar to the Kuroda translation [44], the difference being that we add a double 
negation, not only after V, but also after =>. Interestingly, when interpreting, using 
DNS, the negative translation of the Axiom of Countable Choice ACo, a transformation 
from the Kuroda translation of ACo into our form, with -i-i after =>, appears to be 



needed [27, p. 200]. Also, Avigad has remarked in [4] that the Kuroda translation 
makes essential use of the ±e rule. 

3.2 Remark. When A is a X-formula, we have that At - A. 

We will denote derivability in MQC + by "h + ", derivability in MQC by "(-'"", and the 
one in CQC by "H e ". When we say CQC, we have in mind a standard natural deduction 
calculus, but where ± is replaced by a distinguished formula T - which one, will be 
clear from context - and correspondingly, the ±e rule says that T => A, and the -<-ie 
rule is (A => T) => T h e A. The following theorem is not surprising, since, after all, our 
system is a subsystem of classical logic, but we give it for the sake of completeness, 
since this version of Kuroda's translation does not use the ±e rule in the target system. 

3.3 Theorem (Equiconsistency with MQC). Given a derivation ofT h + A, which uses 
S and # for the "L-formula T, we can build a derivation of Ft H m A T . 

Proof. By induction on the derivation, using the proof terms listed below. A line above 
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a sub-term marks the place where the induction hypothesis is applied. 



a 


— Ak.ka 


Aa.p 


= Ak.k(Aa.Ak'.p(Ab.k'b)) 


pq 


= Ak.p(Af.q(Aa.fa(Ab.kb))) 


(p,q) 


= Ak.p (Aa.q (Ab.k (a, b))) 


Wp 


— Ak.p (Ac.k(n\c)) 


hp 


— Ak.~p(Aa.k(iia)) 


case p of (a1.q1Wa2.q2) 


— Ak.p (Ac. case c of (a1.q1kWa2.q2k)) 


Ax.p 


= Ak.k(Ax.Ak'.p(Ab.k'b)) 


pi 


= Ak.p(Af.ftk) 


(t,p) 


— Ak.p (Aa.k(t, a)) 


dest p as (x.a) in q 


— Ak.~p(Ac. dest c as (x.a) in qk) 


#ap 


= Ak.k(~p(Aa.a)) 


Sip 


= Ak. (p(Aa.a)) { Aa.Ak'.k' (ka)/ 1} 



□ 

In order to relate MQC + -provability of certain forms of formulae to their provabil- 
ity in MQC and CQC, we need the following version of the DNS schema, which is 
extended with a clause handling implication, something that is not needed when one 
has the ±e rule. We denote by -17- A the formula A => T; when it is clear from the 
context, we omit the subscript T from -it- 

3.4 Definition. The Double Negation Shift for T (DNS7-) is the following generalisa- 
tion of the minimal-predicate-logic version of the usual DNS schema, extended with a 
clause handling implication: 

Vx-. r -. r A(x) => OfxA(x)) (DNS*) 
(A => -iy-i r fi) => -> T -. r (A =» B) (DNSj?) 

The following proposition is given for IQC as Exercise 2.3.3 of ll44ll . we give the 
proof here to emphasise the role of DNSj? when ±e is not present. 

3.5 Proposition. DNS T h'" -> t -> t A o A t . 

Proof. Induction on the complexity of A. When A is atomic, A T - -i->A. 
(A) Both directions are via the proof term 

Ac.Ak.lH A (Ak'.c (Ad.k' (?rirf))) 

(Aa.lU B (Ak'.c (Ad.k' (n 2 d))) (Ab.k (a, b))) . 
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(V) Both directions are via the proof term 
Aa.Ak.a (Ac. 

case c of (fli.IH A (Al.la\) (Ab.k (i\b)) Ife.IHs (M.laz) (Ab.k (12b)))) 
(3) Analogous to case (V). 

(=>) In this case it is crucial to use DNS^, since in minimal logic we do not have 
The direction left-to-right is via the proof term 

Ac.Ak.mX (M'.DNS? (Aa.Ak" .k'a)k) 

(AalUg (Ak'.c (Af.k' (fa))) (Ab.k (Aa .Ak' .k' b))) . 

The direction right-to-left is via the proof term 

Ac.Ak.lliX (Ak'. DNSj (Aa.Ak".k'a)k) 

(AalHg (Ak'.c (Af.fak')) (Ab.k (Aa'.b))) . 

The arrows in the superscript of "IH" determine the direction in which the in- 
duction hypotheses are used. 

(V) We have: 

(yxA(x)) T =^(VxA T (x)) ™ -.-.(V*-.-tA(x)) 

DNSj 

«-» -.-i-i-iVxA(x) <-> -.-.VxA(jc) 

□ 

3.6 Lemma. F h e A if and only ifT T H m A T . 

Proof. The direction right-to-left follows from the previous proposition, because DNS 
is a classical theorem. The other direction is by induction on the derivation of F h c A. 
Actually, we can use the translation table of the proof of Theorem l3.3l to treat all cases, 
except for the -i-ig rule which was not covered by the translation. We remark that 
there is no need to translate the ±e rule, since it comes for free in classical logic - it is 
derivable from the -i-ig rule. 

To show that T T v m A T follows from r T h m (-.-A) r , we use the fact that h m 
-.-.(?» ^ T: 

(-,-.A) r = ((A => T) => T) T = -.-.((At- => -.-.r) => -.-.7) 

o -.-.((A r => T) => T) = -.-.-.-.Aj o -.-.A r = A T . 

□ 
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We proved the following relationships for the provability of an arbitrary formula A 
in MQC + , MQC, and CQC: 



h + -1-1 A ■< DNSr v m —A 

3.7 Corollary. For any formula A, we have the following diagram: 



E2 ,-r J3.6\ 

i- + -.-.A > H (-i-A) 7 -<= — >- h c A 



EH 

DNSt V m —A DNSt v m -<->-< -A 

/« particular, the statement h + — i— iA < — > h c A represents an extension of Glivenko's 
theorem to predicate logic. 



4. Properties 

In this section we will prove that MQC + has the Normalisation, Disjunction, and 
Existence Properties, by proving properties of the reduction relation on proof terms. 

4.1 Lemma (Annotation Weakening). IfT h p : A, then Y hr p : A for any T. 
Proof. A simple induction on the derivation. □ 

4.2 Lemma (Substitutions). The following hold: 

1. IfT, a : A h p : B andY h q : A, then Y h 4 p{q/a] : B. 

2. 7f r h /9 : B(x), where x is fresh, and t is a closed term, then Y h p{t/x] : B(t). 



Proof. The proof is standard, by induction on the derivation (see for example 114 111 ). 
The new rules S and # pose no problems, since we can use the identities (#p){q/a) = 
#(p{q/a}) and (Sk.p){q/a) = Sk.(p{q/a}) when k is fresh. □ 

4.3 Lemma (Decomposition). IfYhj P[Sk.p] : B, then there is a formula A and 
derivations Y,k : A => T 1-7- p : T and Y, a : A 1-7- P[a] : B. 

Proof. The proof is by induction on the derivation. We only need to consider the 
rules that can generate a pure evaluation context of the required form. Of the rules 
that we consider, for the intuitionistic rules, the proof is simply by using the induction 
hypothesis, as shown below for the A/ rule; and the only non-intuitionistic rule to 
consider is S, because # does not generate a pure evaluation context. 

• For A/, there are two cases to consider, depending on whether the pure evaluation 
context is (P[Sk.p],q) or (V, P[Sk.p]), but the proofs are analogous. Let the last 
rule in the derivation be: 



11 



r \- T P[Sk.p] :Bi r h r q : B 2 
Fh r (P[Sk.p],q):B l AB 2 



The induction hypothesis gives us a formula A i and two derivations, F, k : A i => 
T \- T p : T and r, a : A! 1-7- P[a] : B\, from which the goal follows by choosing 
A:=Ai. 

• For 5, the pure evaluation context must be the empty one, so the last used rule 
is: 

T, k : B => T \- T p : T 
r h T [Sk.p] : B 

If we set A := B, the goal follows from the premise of the rule above and, for 
F, a : A 1-7- [a] : A, from the Ax rule. 

□ 

4.4 Lemma (Annotation Strengthening). F h s V : T — > r h V : T 

Proof. The proof is by induction on the derivation and very simple. We only need to 
consider the intuitionistic rules that introduce a value and that prove a E-formula, that 
is, the rules Ax, A/, vj, V^, and 3/. S and # do not introduce a value. □ 

4.5 Theorem (Subject Reduction). IfT h» p : A and p —> q, then T h q : A. 

Proof. The proof is by induction on the derivation and is standard (see for example 



14111'). by using Substitutions Lemma 14721 and Decomposition Lemma 1431 Below, we 



consider the new rules and, for illustration, one of the intuitionistic rules. 

(#) We have F h #p and #p — > q for some q. We look at three possible cases, 
because there are three rules for reducing a term of form #p. If q = #q' and 
the reduction was by the congruence rule, we have p — > q'; now use IH and 
the # rule to finish the proof. If p is a value and q = p, then Y y-j q : T; 
now use Strengthening Lemma l4~4l to conclude r h q : T. The third case is 
when p = P[Sk.p'] and q = #p'{{Aa.#P[a])/k} - then, the proof is by combining 
lemmas l4?2l and 1431 



(S) This case is impossible, since there are no rules for reducing a term of form Sk.p 
on its own, and the set of evaluation contexts does not include a clause for Sk.[ ]. 

(A^) We have r h« p : A A B, F l- nip : A, and nip — > q. If the reduction was by 
the congruence rule, then q = n\q' for some q', and we can use IH. Otherwise, 
p = (Vi, V2) and q = V\, and F h<> p : A A B must have been proved by the A/ 
rule, which is enough. 

□ 

While the last theorem shows that reducing a proof term does not change its logical 
specification, the next one shows that a proof term which is not in normal form does 
not get "stuck". 
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4.6 Theorem (Progress). lf\- a p:A,p is not a value, and p is not of form P[Sk.p'], 
then p reduces in one step to some proof term r. 

Proof. By induction on the derivation. The cases Ax, (=>/), and (V/) introduce a value, 
while the case (S) introduces a Sk.p term, so they are impossible. 

(A/) We have that h (p,q) : A A B and (p, q) is neither a value nor of form P[Sk.p']. 
From (p, q) + V, we have that at least one of p and q is not a value. From 
(p, q) + P[Sk.p'], we have that p + P'[Sk.r], and p + V or q + P'[Sk.r]. 

If p is not a value, since it is neither of form P'[Sk.r], by IH, p — > r for some r, 
hence (p, q) — > (r, q). 

If p is a value V, then g is not a value and it is not of form P'[Sk.r], and, by IH, 
<7 — > r, therefore (V',q) — > (V, r). 

(Ag) We have that h» n\p : A and that n\p, hence p itself, is not of form P[Sk.p']. 
If p is a value, then it must be a pair (V\, V2), so 7Ti(Vi, V2) — » Vi . If /J is not a 
value, we can use IH to obtain n\p — > n\r for some r. 

(vj) From h : A V B and ii/? a non-value and not of form P[Sk.p'], we have that 
p is not a value and not of that form, so we use IH to obtain an r such that p — » r, 
hence ii/? — > iir. 

(v £ ) We have h case p of (ai./?i||fl2-/'2) : C. If /? is a value, then it is of form i ( V, 
therefore case of {a1.p1Wa2.p2) — > pi\V/ai}. If p is of form P[>Sfe./?'], then 
so is case /? of (ai./?i||fl2.p2)- Otherwise, we use IH to obtain an r such that 
case p of (a\.p\\\a2-P2) — * case r of (ai.^i||fl2./?2)- 

From pq + P[Sk.r], we have that p + P'[Sk.r], and p ± V or q * P'[Sk.r]. 

If p is not a value, since it is also not of form P'[Sk.r], we can use IH. 

If p is a value, it is of form Aa.p'. If q is a value V, then /?g — > p'{V/a}. If g is 
not a value, it can not be of form P'[Sk.r], because p is a value; then, we can use 
IH on q. 

(V £ ) We have h pt : A(t). If p is of form P[Sk.p'], then so is pt. If /? is a value, then 
it is of form Ax.r, hence (Ax.r)t — > r{f/x). Otherwise, by IH, p — > r for some r, 
so /?f — > rf. 

(3/) From ho (t,p) : A(t) and (f,/?) a non-value and not of form P[Sk.p'], we have 
that p is not a value and not of that form, so we use IH to obtain an r such that 
(t,p) -> (t,r). 

(3e) We have h« dest /? as (x.a) \r\ q : C. If /j is a value, then it is of form (f, V), 
therefore dest (f, V) as (x.a) in g -> g{f/x}{V/a}. If /? is of form P[Sk.p'], 
then so is dest p as (x.a) in q. Otherwise, we use IH to obtain an r such that 
dest p as (x.a) in q — » dest r as (x.a) in o. 

(#) We have h #/5 : T. If p is a value, then #/?—>/?. If /? = P[>Sfc./?'], then 
#p #p'{Aa.#P[a]/k}. If /? is neither a value nor of form P[Sk.p'], by IH, 

p -> /?', SO #/5 -» #/?'. 
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□ 



4.7 Corollary (Normalisation). For every closed proof term po, such that h + po : A, 
there is a finite reduction path po — > p\ — > . . . — > p n ending with a value p n . 

Proof. This is a consequence of Subject Reduction and Progress, because a derivation 
tree h + po : A, with no annotations under the turnstile, can not reduce to the form 
P[Sk.p]. That the reduction path has finite length follows from Theorem 4 of |0, 0] . 

□ 

4.8 Remark. When proving Normalisation of a variant of /l-calculus, it is customary to 
distinguish weak (there exists a terminating reduction sequence) from strong normal- 
isation (all reduction sequences terminate). There is no need to make that distinction 
in the present case, because the reduction system is of the type known as weak head 
reduction, which only permits one possible reduction sequence. 

4.9 Corollary (Disjunction and Existence Properties). If h + A V B, then h + A or 
h + B. If® h + 3xA(x), then there exists a closed term t such that h + A(i). 

Proof. Let h + p : A V B. By Normalisation and Subject Reduction, for some V, 
p V and h + V : A V B. Since V is a value, V must be of form i\V or 12V, 

therefore either h + V : A or h + V : B. The case for "3" is analogous. □ 



5. Related and future work 

5.1. Double-negation Shift 

The first use of a schema equivalent to DNS appears to be in modal logic, by Barcan 
fiE, 15], who introduced what is today known as Barcan's formula, 



\fxUA{x) DVxA(x), 

or, equivalently, 

03xA(x) -> 30A(x). 



Veldman kindly pointed to us that DNS is also known as Kuroda's Conjecture [34]. 
In |30ll, Kripke showed that Kuroda's Conjecture and Markov's Principle are underiv- 
able in intuitionistic logic, (however, see also [28] for criticism of Kripke's argument) 

In J29I Section 2.1 1], Kreisel used the principle 

^V«A(«) ^ 3n^A(n), (GMP) 

for A(n) an arbitrary formula, to deal with implication while giving a translation of 
formulae of Analysis into functionals of finite type. In i39ll . Oliva calls this principle 
the Generalised Markov's Principle (GMP) and remarks that HA" h DNS <-> -.-.GMP. 
Kreisel does not give a justification of GMP in his paper. 

The term "double negation shift" appears for the first time in ll42ll to denote the 
formula 

V«^A(«) ^ ^VnA(n). (DNS) 
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There, Spector builds upon previous works of Godel 11171, 1181 119H . namely he realises 
DNS by adding the schema of bar recursion to Godel's system T. The name "bar recur- 
sion" comes from the Bar Principle of Brouwer which is used in justifying it. However, 
Spector attaches no particular interest to the DNS schema itself; he writes: 

The schema [DNS] is chosen not because we believe it is of intuitionistic 
significance, but to provide a formal system in which classical analysis is 
easily interpreted, and whose logical basis is intuitionistic. 14211 

We treat DNS at the level of predicate logic, not of arithmetic, an important change 
in status that we plan to investigate in future. 

5.2. Negative translation of Countable Choice 
The Axiom of Countable Choice, 

\/x°3fA{x,y) => 3f^ p \/x°A(x,f(x)), (AC ) 

is a formula schema of HA", Heyting Arithmetic in all finite types. The type stands 
for the set of natural numbers N, the type 1 = — > stands for the functions N — » N, 
2 stands for the functionals (0 — > 0) — » 0, and so on; p is a type variable. 

Spector showed that Kuroda's 1271 p. 163] negative translation, -i-i(ACo*)> of ACo, 

Vx°^3fA*(x,y) => 3/°" p Vx°^A*(x,/(x)), (AC*) 

is provable from DNS and the intuitionistic ACq. Since ACo is realisable in HA", 
and DNS is realisable by bar recursion, so is AC» . His approach was extended to the 
Axiom of Dependent Choice (DC) by Luckhardt l!36ll and Howard 12311 . In more recent 
years, Kohlenbach, Berger, and Oliva have given their own versions of bar recursion 
(see ITJ] for a comparison). 

Since we treat DNS at the level of pure logic, without considering arithmetic ax- 
ioms, we are only able to give an open proof term deriving the negative translation of 
AC,,, 

\fx°^ T ^ T 3y p A T (x,y) => ^ r 3/ " p Vjc%^ r A7-(*,/«)- (AC r) 

Given a variable c to denote a proof of the intuitionistic ACo, we can use a proof 
term similar to the one of DNS7- for deriving the above schema: 

Aa.Ak.#k(c(Ax.Sk' .ax(Ad.k'(vd)))), 

where v is a proof term for 3yAr(x,y) => 3yA T (x,y). 

The proof term being open means that we can not immediately use it for computa- 
tion. We would have to either develop a realisability interpretation for MQC + , or add 
delimited control operators to an intuitionistic system with strong existential quanti- 
fiers, like Martin-L6f 's type theory, which can derive ACq. 
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5.3. Herbelin 's calculus for Markov Principle 

In I22I1 . Herbelin presented IQCmp, an intuitionistic predicate logic that can derive 
the pure predicate-logical version of Markov's Principle. Our MQC + has been devel- 
oped starting from his calculus. There are two important differences between the two. 

First, derivations of IQCmp are annotated by a context of X-formulae, not just one 
formula. This permits to have a derivation which uses multiple and different instances 
of Markov's Principle. Had we had context-annotations as well, it would have been 
possible to have the following characterisation of provability of Z-formulae S : 

by def. of 

MP h'' S * h' 

Proving that such a context-annotated version of MQC + satisfies the analogues of the 
properties proven in Section|4]remains future work. 

Aside from that, the typing and the reduction rules for delimited control operators 
of IQCmp are a restriction of those for MQC + . Consider the typing rules: 



r \- a -.T,A p:T T h A p : T (a : T) e A 

— —. — Catch - rr : Throw 

T h A catchup : T r h A thrown : A 

While catch is just #, the proof term throw p is a particular case of Sk.p that does 
not use the continuation variable k inside p, something already seen with the proof term 
deriving MP of Example l2.7l 



5.4. Other studies of delimited control operators 

Delimited control operators have been studied in the Theoretical Computer Science 
literature quite extensively in the past twenty years, since their appearance l35ll43l 121. 
We mention some of the works that pertain to Logic. 

The original typing system for shift/reset of Danvy and Filinski from Q is a so- 
called "type-and-effect" system: implication is a quaternary not a binary connective, 
and is as such difficult to understand in traditional logical terms. A proof of Subject 
Reduction, Progress, and Normalisation of this system appears in 12j,|3[]. 

A typing system which is a specialisation of Danvy and Filinski's, but again has a 
ternary implication connective, appears in 1138 1. 

Ariola, Herbelin and Sabry [1] decompose shift/reset in their own calculus and 
prove, besides other things, the normalisation property for a typing system where reset 
is applied at atomic types. 

There are a number of works connecting delimited control operators to sub-structural 
classical logic 11261 l47l 13711 . Our contribution differs in two respects: we identify de- 
limited control operators as giving rise to an a priori constructive logic, rather than 
classical logic which is only constructive a posteriori for certain classes of formulae; 
and we are connecting delimited control operators with known extra-intuitionistic ax- 
ioms, rather than analysing the sub-structural properties of the derivation system rules 
themselves. 
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5.5. The meaning of DNS in the presence of common axioms 

In this paper we were dealing with a purely predicate-logical version of DNS. Fur- 
ther examination is necessary on how DNS interacts with common logical axioms, 
as Wim Veldman kindly warned us. For instance, DNS is false in some uncountable 
models: for example, it contradicts the continuity principle proposed by Brouwer. 
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